subject:"\[squid\-users\] Sending intermediate certificate with SSL\-Bumped Certificate. \(V3.5.1516\-3\-2\-r14000\)"

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

2016-04-08 Thread The_Spider

I can confirm that this configuration works as requested with the
configuration Jok Thuau had posted with the latest version 3.5.16.

Thank you so much for the response and the assistance.

On Thu, Apr 7, 2016 at 1:15 PM, Jok Thuau  wrote:
> with 3.5.15, I have this config:
>
> ---8<---
> https_port 8443 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=64MB \
> cert=/etc/squid/ssl/proxy.pem \
> key=/etc/squid/ssl/proxy.key \
> cafile=/etc/squid/ssl/proxy.pem
> --->8---
>
> proxy.pem is the concatenation of both the CA cert (intermediate) followed
> by the root cert (my offline CA). Best i can tell, all of it is sent back to
> the client (generated cert, intermediate and root CA).
>
> HTH
> Jok
>
>
>
>
> On Thu, Apr 7, 2016 at 10:59 AM, Amos Jeffries  wrote:
>>
>> On 7/04/2016 5:25 a.m., Nicolaas Hyatt wrote:
>> > Amos,
>> > Thanks for your quick response and your time. I have not yet messed with
>> > 4.0. Is this something that may find its way into the 3.x stable branch
>> > at some point?
>> >
>>
>> Maybe. I am reliant on the guys doing OpenSSL code (aka. Christos) to
>> test the backporting though. So it will depend on whether he thinks its
>> important enough.
>>
>> I'm hopeful, but no guarantees.
>>
>> Amos
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

2016-04-07 Thread Jok Thuau

with 3.5.15, I have this config:

---8<---
https_port 8443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=64MB \
cert=/etc/squid/ssl/proxy.pem \
key=/etc/squid/ssl/proxy.key \
cafile=/etc/squid/ssl/proxy.pem
--->8---

proxy.pem is the concatenation of both the CA cert (intermediate) followed
by the root cert (my offline CA). Best i can tell, all of it is sent back
to the client (generated cert, intermediate and root CA).

HTH
Jok




On Thu, Apr 7, 2016 at 10:59 AM, Amos Jeffries  wrote:

> On 7/04/2016 5:25 a.m., Nicolaas Hyatt wrote:
> > Amos,
> > Thanks for your quick response and your time. I have not yet messed with
> > 4.0. Is this something that may find its way into the 3.x stable branch
> > at some point?
> >
>
> Maybe. I am reliant on the guys doing OpenSSL code (aka. Christos) to
> test the backporting though. So it will depend on whether he thinks its
> important enough.
>
> I'm hopeful, but no guarantees.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

2016-04-07 Thread Amos Jeffries

On 7/04/2016 5:25 a.m., Nicolaas Hyatt wrote:
> Amos,
> Thanks for your quick response and your time. I have not yet messed with
> 4.0. Is this something that may find its way into the 3.x stable branch
> at some point?
> 

Maybe. I am reliant on the guys doing OpenSSL code (aka. Christos) to
test the backporting though. So it will depend on whether he thinks its
important enough.

I'm hopeful, but no guarantees.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

2016-04-06 Thread Nicolaas Hyatt


Amos,
Thanks for your quick response and your time. I have not yet messed with 
4.0. Is this something that may find its way into the 3.x stable branch 
at some point?



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

2016-04-06 Thread Amos Jeffries

On 6/04/2016 10:49 a.m., Nicolaas Hyatt wrote:
> I know I'm a few minor revisions behind, but I am a little confused as
> to if it is possible to request squid include the configured certificate
> along with the certificate generated. I know that this is somewhat
> confusing to read.
> 
> +Root (Self Signed) CA Cert
> |
> `+ Intermediate Certificate (Used by squid.)
>  |
>  `- Squid Auto Generated Certificate
> 
> I have the Self Signed Root CA Cert installed on all the systems, but
> the Intermediate Certificate is not sent by squid, so the trust chain
> fails. I have been reading threads here and there and saw a post form
> Amos a bit ago (referring to squid v3.3) where there may (or may not)
> have been a configuration option to modify squid's behavior to do as I
> am requesting, but details in the thread do not include the
> configuration directive.

FYI: each of the Squid 3.2 -> 4.0 series so far have had significantly
different TLS handling code. So commments about one series are unlikely
to be relevant to the others, particularly in regards to SSL-Bump
functionality.

> 
> If this is not a valid feature, I understand, and can fully accept that
> answer, I'm not complaining about free software!

This is one of the things that is currently still being sorted out. In
some cases the current releases should just send the certs, in some it
should not, in others it should but doesn't. So YMMV.

The patch that just went in today sounds to me like what you are
needing. So you might want to try the Squid-4.0.8 with this extra patch
() or
a 4.0 daily snapshot rev.14626 (or later) when it becomes available.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

2016-04-05 Thread Nicolaas Hyatt

I know I'm a few minor revisions behind, but I am a little confused as 
to if it is possible to request squid include the configured certificate 
along with the certificate generated. I know that this is somewhat 
confusing to read.


+Root (Self Signed) CA Cert
|
`+ Intermediate Certificate (Used by squid.)
 |
 `- Squid Auto Generated Certificate

I have the Self Signed Root CA Cert installed on all the systems, but 
the Intermediate Certificate is not sent by squid, so the trust chain 
fails. I have been reading threads here and there and saw a post form 
Amos a bit ago (referring to squid v3.3) where there may (or may not) 
have been a configuration option to modify squid's behavior to do as I 
am requesting, but details in the thread do not include the 
configuration directive.


If this is not a valid feature, I understand, and can fully accept that 
answer, I'm not complaining about free software!



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

Re: [squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

[squid-users] Sending intermediate certificate with SSL-Bumped Certificate. (V3.5.1516-3-2-r14000)

6 matches

Site Navigation

Mail list logo

Footer information